Consumer Reports: Can your car get hacked?

Your car's computer knows much more about you than you may realize, notes Consumer Reports. It's constantly tracking your driving behavior, speed, seat belt use and more.

Because your car is networked, outside infiltration of your private data represents a serious threat to consumers. But misuse or inappropriate lawful use of that data is also a concern. In 2011, GM's OnStar division came under fire when it said it had the right to share location data with third parties. Likewise, data from apps used in your car's infotainment system could be sold to advertisers.

At a recent conference, Bryan Biniak, Microsoft's vice president of developer experiences, said those kinds of intuitive corporate interactions with drivers "based upon who I am and what I like" could be a good thing. What does that mean for you? In the future, you could see targeted spam appear on your dash screen -- perhaps a coupon for an oil change or a suggestion that you stop for a nearby cappuccino.

Today, some insurance companies offer reduced rates to drivers who install a driving-behavior tracker in their car -- but could raise the rates if they speed. Already, some lenders install devices that can remotely halt a car purchased by a buyer who misses a payment.

But your data can also be hacked. Any time someone connects to your car's onboard diagnostics system (OBD-II) port, your vehicle's secrets become accessible. And black hat computer hackers are claiming they can remotely invade your car's data systems without ever gaining access to the inside of your vehicle.

The takeaway: Driving privacy is under threat, if the auto industry and lawmakers don't take action, says Thilo Koslowski, automotive practice leader at technology research firm Gartner.

RUNAWAY WHEELS

What's more, some of those onboard infotainment computers have interactions with your car's driving controls. Consider the OnStar navigation and emergency-assist system: It tracks your car's location and history, but it also can disable your car if it's stolen.

Though being able to remotely stop a vehicle with a drunk driver behind the wheel or a kidnapped child inside can be a good thing, the wider implications are disturbing. Could someone with bad intentions remotely hack into your car's controls to lock your brakes in traffic or send you careening off a bridge?

A recent "60 Minutes" television segment raised that specter -- and demonstrated how it could be done, complete with a video of occupants sitting helplessly as someone with a laptop took remote control of their car's horn, windshield wipers and even its brakes.

BUT HOW REALISTIC IS THAT SCENARIO?

The U.S. government's Defense Advanced Research Projects Agency (DARPA) and the National Highway Traffic Safety Administration have been working on identifying ways to protect consumers from car hacking for years.

For its "60 Minutes" hack, DARPA needed to know the secure phone number that allows the vehicle to interact with the automaker's cellular network. But it did not need the vehicle identification number of the car or any other specific data.

Dan Kaufman, director of DARPA's Information Innovation Office, admits his team "knew the car quite well" in running its hack. Such an attack "would not work on just any random car," Kaufman wrote in an email to Consumer Reports, "although a similar technique would work on many modern cars."

True, the scary scenario is not easy to achieve, but experts expect it to get easier. The worry among computer scientists is that a 14-year-old could eventually perform the hack from a laptop.

Massachusetts Sen. Ed Markey recently authored a report that studied the security systems of 16 automakers -- and found them to be lacking. His office plans to introduce legislation to toughen vehicle security and privacy standards. Consumers Union will work with Markey, NHTSA and the Federal Trade Commission to ensure that your data is better protected.